Last Modified: Dec 05, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4
Fixed In:
17.1.2
Opened: Nov 29, 2023 Severity: 3-Major
Identified during internal testing, the assertion does not occur in any use case when BIG-IP is configured as a SAML SP with POST binding. Refer to the bug ID 1318397. debug tmm5[12791]: 014d0501:7: ::6ac890bf:[saml_sp_crypto_get_header:1269] Error: ERR_FAIL err tmm5[12791]: 014d0002:3: Failed to read header 'APD_SamlCryptoAction' err 12 err tmm5[12791]: 014d0002:3: SSOv2 plugin error(-1) in sso/saml_sp.h:632
The SP did not receive the assertion from the IDP, which affects the SAML authentication flow and prevents access to the resources.
This issue occurs under the following conditions: 1. Have a BIG-IP with a basic SAML POST BINDING Setup. 2. "Sign Authentication Request" is enabled. 3. Add the iRule to act as "clientless mode". iRule : when HTTP_REQUEST { # Add the "clientless mode" header to the incoming request HTTP::header insert "clientless-mode" "3" } 4. Access the SAML SP virtual server to see the error in the SAML IDP BIG-IP.
None
Proper validation has been added for SAML requests as POST in clientless mode during xbuf validation, after the earlier changes made in bug ID 1318397.